The last two years have seen an astounding growth in the number of people encountering ransomware.
As an individual or business owner, you may be wondering just what ransomware is, what kind of risk it poses to you, and how attacks like these can occur.
Here’s the breakdown.
What is ransomware?
Ransomware is a type of malware with the ability to silently encrypt your files, before demanding payment for their return – often with a time limit.
And not only does ransomware target your most valuable files, like photos, documents and spreadsheets, it can also lock down system files to render your web browser, applications, and entire operating system unusable.
How does ransomware get on my PC?
Most commonly, ransomware is spread via malicious email links and attachments – often concealed by changing the file extension and compressing the malicious code into a zip file. Opening the file infects your system.
Ransomware can also be bundled into other applications, such as games, video players, etc. So any application from an unknown or untrusted publisher is a potential risk upon installation.
Once on your system, ransomware works in the background, connecting to a remote server to encrypt single files, whole directories of files, or complete drives.
How do I know if my PC is infected?
You’ll see a message pop up demanding payment, which can range from a few hundred to tens of thousands of dollars. Payment must usually be made in some form of anonymous currency, like Bitcoin.
But even if you pay the ransom, there are no guarantees your files will be unlocked.
So naturally, this kind of malware has incredibly serious consequences, particularly for businesses holding sensitive customer information or internal data that’s not securely backed up.
Does AVG protect against ransomware?
Our protection is multi-layered. Not only do we check against known malware variants and behavioral patterns in our virus database, we also further test previously unseen files in a secure virtual environment before they are executed on your PC. This is done using artificial intelligence, sophisticated behavioral analysis and various other methods.
And we automatically update it all, so you stay protected.
Researchers at Endgame have found new versions of TeslaCrypt in the past few weeks that target a host of new and unusual file extensions, and deploy new obfuscation and evasion techniques.
Atmos banking malware has perilous pedigree that includes Citadel and ZeuS.
Hackers are escalating recent attacks against hospitals with new stains of server-side ransomware whose most recent variants are dubbed SamSam and Maktub.
Malvertisers tricked ad networks to run ads which link to Angler EK on major websites such as Answers.com.
Exploits targeting a patched Silverlight vulnerability have found their way into the Angler Exploit Kit and victims are being hit with TeslaCrypt ransomware.
Dozens of active ransomware variants such as TeslaCrypt, Locky and Crypt0L0cker continue to extort victims daily. And Ransomware-as-a-Service threatens to make matters worse.
Ransomware – you will not find a more frequently used word in the antivirus industry in these past few months. AVG’s viruslab have analysed dozens of different ransomware “families” in that time.
Based on the number of new unique samples per day, it seems that the ransomware trend is steadily increasing.
Some ransomware families appear to have been created by amateur programmers eager to earn easy money (Radamant, LeChiffre, or Hidden-Tear derivatives, just to name a few), while others are developed by professionals and operated by cyber gangs (e.g. CryptoWall).
At present, the most active families are TeslaCrypt, CryptoWall, and Crypt0L0cker (aka TorrentLocker) with each of these families spreading in multiple ways. The most common infection methods are via exploit kits and phishing emails (as links or attachments).
More worryingly, we have identified “Ransomware-as-a-Service” offerings that are threatening to make things much worse. These often Tor-hosted (anonymous) websites make it possible to generate custom ransomware with just a few clicks – in return for a share (5-20%) of future earnings, i.e. ransom revenue.
But it’s also the brazen attitude and apparent confidence of some ransomware authors that is disturbing. We have found the Nanlocker ransomware contains a now famous (and very unfortunate) statement that was made by a member of the FBI at a security conference.
How to protect your computers and networks against ransomware.
- Don’t trust any links or attachments in email – this remains the most common way that ransomware takes hold. If you weren’t expecting the email, do not open it. If unsure, always seek a second opinion from a tech savvy friend – or just delete the email.
- Keep your software and operating system updated. Ransomware is targeting not only Windows, but also Linux (e.g. Linux.Encoder) and even Mac.
- Uninstall unused or notoriously vulnerable applications – for example, if you don’t need Adobe Flash Player, remove it and any other applications you’re not using. Stick to the minimum.
- Use the latest protection software. AVG Internet Security is great choice because it offers multiple layers of protection – we take the ransomware threat very seriously, and our software is capable of detecting the ransomware families mentioned earlier, plus more.
- Backup your files regularly and don’t forget to keep your backup media disconnected from your PC. Otherwise, your backups might get encrypted as well. This also applies to cloud storage and network drives (e.g. Dropbox, Google Drive).
What if it’s too late, and your files are already being held to ransom?
- If your files have already been encrypted by ransomware, the most important thing is to stay calm.
- You should immediately contact technical support (e.g. your IT department, your AV vendor) for further assistance, if available to you. You need to seek expert advice as early as possible.
- We strongly advise against paying the ransom. You’ve got no guarantee from the criminals that your files will be restored. And, if every ransomware victim refused to pay the ransom, this type of crime would quickly reduce in occurrence.
- It is quite possible that the decryption key is still located in the computer. Many ransomware families contain weaknesses in their encryption algorithm, which may lead to decrypting your files even without paying the ransom! It may take some time to spot and exploit such weaknesses, but in the meantime don’t delete your encrypted files, there may still be hope. (so call tech support).
A massive string of WordPress compromises are redirecting victims to the Nuclear Exploit Kit and Teslacrypt ransomware.